You are correct. This is one of the major reasons we have adopted the ‘sign in’ metaphor. When you register you get what we call an ‘AxCrypt ID’. In fact this is a RSA-4096 key pair generated on the server. The public key is available from the server via a public REST API. The private key is kept in an AxCrypt-encrypted form, using the sign in password, on the server for backup.
Actual file encryption is done by generating a strong pseudo-random 128 or 256 bit (if the user has Premium) session key, unique for every file and file encryption. This key is then encrypted iteratively (wrapped) using the sign in password, the sign in public key, and any other persons public key that the file key should be shared with. The set of public keys used are also embedded in the file, so it can be re-encrypted without further server interaction.
In order to do server lookups of other persons public keys, Premium is required. Anyone with AxCrypt, Free or Premium, can always decrypt and work with encrypted files, regardless of the encryption strength or if it uses key sharing. We’ll never lock anyone out of their data because Premium has expired.
I hope this explains! We’ll be publishing full specifications of the file format, and the protocols used. The API is already public, but we have not yet made documentation available. It’s use can of course be inferred from the source code, or simply to use the open source library is the easiest way though. The only reason we’ve not yet published text documentation is just time constraints, and that we’d like to keep the capability to evolve it a little longer.